Yahoo Protects Users with Lots More Encryption

We were thrilled to hear today that Yahoo is carrying through a concerted effort to protect users across its sites and services by rolling out routine encryption in several parts of its infrastructure. The company's statement announced that, among other things, it now encrypts traffic between its data centers, makes secure HTTPS connections the default for some web sites, and has turned on encryption for mail delivery between Yahoo Mail and other email services that support it (like Gmail).

We've long asked Internet companies to take some of these steps, most recently through our Encrypt the Web scorecard. We're updating that scorecard to give Yahoo credit for two new security measures (forward secrecy and STARTTLS). In light of reports that governments have directly tapped Internet backbones to obtain secret access to millions of people's private communications, it's become clear that routine use of encryption is an important basic measure for privacy and security online. Without it, any network operator (from the smallest wifi node to the largest Internet backbone companies), or anyone who can coerce or infiltrate one, can easily see the intimate details of what people are saying online.

Yahoo's use of encryption will make that harder. Additionally, the company's decision to adopt forward secrecy for encrypted connections means that the contents of old encrypted connections should stay private even if Yahoo loses control of its own secret keys.

It's important to note that all these uses of encryption protect only communications in transit between a user and Yahoo's servers, or within different parts of Yahoo's own infrastructure. That means it doesn't in any way change Yahoo's ability to turn over user data in response to government requests. It makes it more difficult for any government to use its access to network infrastructure to secretly intercept users' communications, but governments can still come directly to Yahoo with demands for access to user data.

We commend Yahoo for taking these steps, and hope today's announcements will continue to foster a recognition that encryption is an industry standard.

Related Updates

Three years ago, EFF exposed how hundreds of law enforcement agencies were putting families at risk by distributing free ComputerCOP “Internet safety” software that actually transmitted keystrokes unencrypted to a third-party server. Our report also raised serious questions about whether the company was deceiving government agencies by circulating a...

Consider this: Deputy Attorney General Rod Rosenstein has been going around talking about “responsible encryption” for some time now—proselytizing for encryption that’s somehow only accessible by the government—something we all know to be unworkable. If the Department of Justice (DOJ) is taking this aggressive public position about what...

EFF is representing The Stranger, a Pulitzer Prize-winning newspaper, in a petition to unseal secret government electronic surveillance dockets and requests in the Western District of Washington federal court. The petition was filed in November 2017. The government routinely asks courts around the country for electronic surveillance warrants and...

The FISA Amendments Reauthorization Act of 2017—legislation meant to extend government surveillance powers—squanders several opportunities for meaningful reform and, astonishingly, manages to push civil liberties backwards. The bill is a gift to the intelligence community, restricting surveillance reforms, not surveillance itself. The bill (S. 2010) was introduced October 25...

EFF is urging the Department of Homeland Security (DHS) to end its programs of social media surveillance and automated “extreme vetting” of immigrants. Together, these programs have created a privacy-invading integrated system to harvest, preserve, and data-mine immigrants' social media information, including use of algorithms that sift through posts using...

Fundación Karisma in cooperation with EFF has released its third-annual ¿Dónde Estan Mis Datos? report, the Colombian version of EFF’s Who Has Your Back. And this year’s report has some good news. According to the Colombian Ministry of Information and Communication Technologies, broadband Internet penetration in Colombia is well over...

Fundación Karisma in cooperation with EFF has released its third-annual ¿Dónde Estan Mis Datos? report, the Colombian version of EFF’s Who Has Your Back. And this year’s report has some good news. According to the Colombian Ministry of Information and Communication Technologies, broadband Internet penetration in Colombia is well over...

The House Judiciary Committee on Wednesday approved the USA Liberty Act, a surveillance reform package introduced last month by House Judiciary Committee Chairman Bob Goodlatte (R-VA) and Ranking Member John Conyers (D-MI). The bill is seen by many as the best option for reauthorizing and reforming Section 702 of the...

The “PreCheck” program is billed as a convenient service to allow U.S. travelers to “speed through security” at airports. However, the latest proposal released by the Transportation Security Administration (TSA) reveals the Department of Homeland Security’s greater underlying plan to collect face images and iris scans on a...

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen...